June 2018, Vol. 245, No. 6


Defending Critical Infrastructure from Cyberattacks

By Gabe Authier, Tripwire

During the recent Critical Infrastructure Security and Resilience Month, cybersecurity company Tripwire conducted a poll to gain perspective on which types of critical infrastructure might be at most risk of cyberattack.

It asked: “In your country, which of the following services do you think is the most likely to have an outage due to hackers?”

Of the 373 participants, the majority (47%) believed that “Water, electricity & gas” were most likely. Twenty-two (22) percent said “Transport” would be the most susceptible, and 20% voted for “Emergency services.” A further 12% answered “Other,” with many suggesting telecommunication systems.

Critical infrastructure provides the essential services that society needs to survive – clean drinking water, power to keep homes warm in the winter, transportation to get people and goods to where they need to be. These assets deserve the strongest protections, and in this world of increased digitization and connectivity, cybersecurity should be of utmost concern.

Why such a concern now for water, electricity and gas utilities? Compared to other sectors, cyber threats are relatively new for industrial environments. Much of today’s energy infrastructure didn’t grow up with the Internet as we know it today. Security concerns were primarily around physical access. From recent events, however, it should be apparent by now that cyberattacks are a real and present danger to critical operations.

Just this past August, malware shut down machinery at an oil and gas plant in Saudi Arabia. Dubbed “Triton” or “Trisis” this nefarious malware was one of the few cases known to successfully manipulate industrial controls systems (ICS). While malware known to be specifically designed to attack ICS are somewhat rare, this was just the latest in a string of ICS-targeted attacks that seems to suggest that cyber-threats against critical infrastructure is on the rise.

In 2017, the radiation monitoring system at Ukraine’s Chernobyl Nuclear Power Plant went offline due to the Petya cyberattack.  In 2016, cyber attackers took down a Ukrainian power grid, causing a blackout equivalent to one fifth of its total power capacity, by deploying malware named Industroyer or Crash Override. And of course, the infamous Stuxnet damaged centrifuges in an Iranian nuclear facility in 2010.

Digitization brings about several benefits for the energy industry. Connectivity and data-driven insights can unlock new levels of productivity, efficiency, availability and reliability. However, the digital technology used to run machines more effectively and optimize operation and maintenance can be a point of exposure for cyber-attacks that could undermine all that. In industrial environments, cyber-attacks not only pose the risk of data loss, but also the risk of shutdown, physical damage, and even loss of life.

When taking advantage of connectivity’s business advantages, operators need to understand and address the associated cybersecurity risks, especially with respect to ICS, where digital can have real physical consequences.

With the world depending on the availability of energy, and the potentially catastrophic consequences that cyber threats pose, it’s important that owner-operators catch-up quickly on cybersecurity.  Unfortunately, it’s not as simple as applying typical corporate IT cybersecurity practices to industrial environments.

In IT environments, devices are all Internet Protocol (IP)-based; that is, they all speak the same language. Operational technology (OT) has evolved tremendously over the years, creating very complex environments. Energy facilities house a wide variety of devices from different makes, models and generations communicating through different protocols, making it hard to keep track of everything on the network, and subsequently harder to secure.

Another challenge to industrial cybersecurity: operators often feel that they can’t implement security updates to their systems for fear that they will interrupt operations (even though a successful cyberattack could cause further interruption and damage).

These challenges shouldn’t keep the energy industry in a stalemate, however. There are practical steps energy operators can take to improve their security posture in ways that are supportive, not detrimental, to their business goals.

Understand Attack Surface

Industrial operators should start with understanding what devices and what software they have on their network. This involves taking an inventory of the assets that will be critical to secure, then choosing a solution that can speak natively to these devices. This should include monitoring systems that have not traditionally been monitored – like routers, switches, gateways and firewalls.

They should also identify which of those devices are critical to operations and therefore highly sensitive. For this set of devices, a “no touch” approach is preferred. This approach uses an integration with an intermediary device that typically talks to the PLCs in order to configure the devices and backup those configurations. Once that integration is in place, configuration data can be obtained from the intermediary device by querying the intermediary’s database and ingesting the configuration data.

Harden Attack Surface

Once visibility into the network is established, operators can start hardening the environment (make it harder for attackers to infiltrate the systems). Industrial security solutions should not only identify what’s on the network, but also detect changes, identify where the risks are, and help mitigate them.

Hardening begins with assessing how devices and software are configured. Misconfigurations, though many of them are simple to fix, continue to be the main vector for successful cyberattacks. A good security solution should be able to assess configurations and then easily fix any that are not in secure and compliant state.

Known vulnerabilities left unpatched also continue to be a leading reason for successful cyberattacks. Security solutions should scan for vulnerabilities in your environment and prioritize for you which vulnerabilities are most critical to patch.

Alert to Change

Once the attack surface has been minimized through proper configuration and vulnerability management, the plant’s security solution should then continuously monitor and alert to any changes made in your environment. Changes made to the environment can indicate an intrusion or point out configuration changes that have weakened the security posture or put systems in a non-compliant state.

Even if certain devices are air-gapped, isolated and totally disconnected from any external-facing network, internal staff may introduce system changes without understanding the effect on security or compliance. Or worse, an intruder can bypass the airgap by gaining physical access, for example, through an infected USB drive, to carry out a cyber-attack. Therefore, even devices that you might consider extremely locked down should be monitored for change.

Implementing these steps establishes a strong foundational defense for industrial environments.  Cyber-threats against critical infrastructure are on the rise and in this case, data leaks aren’t the only concern, but also severe physical damage and harm. Putting critical security measures in place can help ensure our critical infrastructure remain resilient and continue providing society’s most essential needs. P&GJ

Author: Gabe Authier is a senior product manager at Tripwire, a provider of security, compliance, and IT operations solutions for enterprises, industrial organizations, service providers, and government agencies. He has over 15 years of experience in product management and information technology. Authier received a bachelor’s degree in systems engineering from University of Arizona and an executive MBA from the University of Oregon


Related Articles


{{ error }}
{{ comment.comment.Name }} • {{ comment.timeAgo }}
{{ comment.comment.Text }}